Google Switches On Browser Spy Cam in Chrome

/ Source: SecurityNewsDaily

This story was updated at 6:00 a.m. ET Friday with comment from Google.

Google's frequent Chrome browser updates are rarely exciting, but one new feature built into the latest version ought to wake you up.

Chrome 21, released yesterday (July 31), fully implements WebRTC (for "real-time communication"), a new standard that lets websites and Web applications use your computer's camera and microphone — all the better to see and hear you with, of course.

Previously, websites and apps had to use browser plug-ins such as Adobe Flash Player or Microsoft Silverlight for audio and video interaction with the user.

WebRTC leverages the powers of HTML5, the next generation of code underlying the Web, to build multimedia features directly into the browser. Google's Chrome blog already points to a couple of fun sites that let you take your picture with the browser or play a virtual xylophone.

That all sounds great, but there doesn't seem to be any way to disable WebRTC in Chrome 21.

An email seeking clarification from Google was not immediately returned.

"This is a standard Javascript API [application-platform interface], and just like other Javascript components cannot be enabled/disabled by itself," said Johannes Ullrich, chief technical officer at the SANS Technology Institute's Internet Storm Center. "You would have to compile your own custom version of Chrome."

Chrome requires websites and apps to ask the user's permission to access the camera and microphone. Yet any good hacker will tell you it's just a matter of time before someone finds a way around that and uses WebRTC to have an unauthorized look at what people are doing in front of their computers.

To be fair, WebRTC may not be any less secure than what it's replacing.

"The risk isn't really larger than having Flash installed (of course, more and more people disable or do not install Flash)," Ullrich told SecurityNewsDaily via email. "Flash already had the ability to access the camera and microphone, and had some vulnerabilities that allowed websites to trick the user into enabling the camera/microphone via clickjacking."

Besides Chrome, only the forward-looking Opera browser has implemented WebRTC. Mozilla Firefox and Microsoft Internet Explorer are working on including it in future versions.

Chrome users concerned about their privacy can't simply refuse to update to Chrome 21, because Chrome automatically updates itself. (For the technically skilled, there are ways to turn automatic updating off.)

If you're worried, put black tape over your Webcam when you're not using it. If you're using a desktop PC, there may be a way to disconnect the built-in microphone.

Chrome 21 also fixes 26 different, mostly moderate, security flaws. The single one rated "critical" is related to a tab-handling issue found only in the Linux version of the browser. 

Most of the other flaws apply to all versions of Chrome, and are rated as "low" to "high" threats.

UPDATE: A spokeswoman for Google told SecurityNewsDaily in an email, "We are working closely with the W3C [World Wide Web Consortium] to ensure there is a high standard of security and transparency with the GetUserMedia API [which enables WebRTC in Chrome], including ensuring the user is in control of whether and how media is used, and to make any usage transparent through in-product notifications.

"For example," she said, "the user needs to give permission for a site to use the camera by clicking 'allow' and a persistent notification that the camera is turned on will be present until the camera is turned off to remind users."

As for whether malicious actors could access the camera or microphone surreptitiously, "Because both the user consent (infobar) and notification mechanisms (system tray and persistent bubble) are in the browser, it's isolated from website content and therefore much harder to be broken by malicious sites."